The FBI has issued a warning about a phishing service called Kali365 that has been used in hundreds of attacks against Microsoft 365 users since April 2026. What makes this attack especially dangerous is that it bypasses multi-factor authentication (MFA) — the extra security code that many people rely on as a safety net. Instead of stealing your password, the attackers trick you into logging in on Microsoft’s real website and unknowingly authorising an attacker-controlled device to access your account.
Here is how it works: you receive an email that looks like it is from a trusted service such as Adobe, DocuSign, or SharePoint, with a code you are asked to enter at a Microsoft login page. That page is genuine — but the code hands the attacker a long-lived access token for your Outlook, Teams, and OneDrive. From there, attackers can read your emails, send phishing messages to your contacts, and potentially access your organisation’s systems. Kali365 is sold through Telegram, meaning it is accessible even to criminals with little technical skill.
How to check if you’re affected
Affected versions of Microsoft 365 include any subscription tier — personal, family, business, and school accounts are all equally at risk. You can review your account security right now:
- Check recent sign-in activity: Visit account.microsoft.com, go to Security → Sign-in activity, and look for any logins from locations, devices, or countries you don’t recognise.
- Review connected apps: In your Microsoft account, go to Privacy → App permissions and remove any app you did not intentionally authorise.
- Look for suspicious inbox rules: Open Outlook and check your inbox rules/filters — attackers often add rules that silently delete security alerts to extend their access undetected.
- Be suspicious of unexpected codes: If you receive a Microsoft device-code prompt you did not initiate, do not enter it. Legitimate services do not send unsolicited login codes.